We had the opportunity to interview both Dr. Mark Wells and Dr. James Tippey on the importance of critical thinking in cybersecurity. Dr. Wells has a background in ethics and philosophy while Dr. Tippey has a background in both cybersecurity and religion; together, they teach Cyber Ethics for the Carolina Cyber Center.
Interviewer: Let’s talk about critical thinking. It’s one of the core values at the Carolina Cyber Center, and something we believe every cyber professional should have. But how do we define it?
Dr. Wells: I would say it’s the skill of asking the right questions without being satisfied by a simple answer. Answers are complex and involve a lot of different perspectives. Question your own assumptions as well. When you ask the right questions, your own assumptions come under analysis. These questions lead you to think differently and explore new ways of looking at an issue.
Reasoning is a big part of that with many principles you can incorporate. When you teach critical thinking, the first thing is to learn how to ask good questions. Question everything. You may come up with the same answers you’ve had, but it’s still helpful to honestly question without relying on an easy answer.
Dr. Tippey: I would echo that. Critical thinking is an examination from multiple perspectives by asking questions. With my background in religious studies, critical thinking around religion was one of the skills that my professors brought to bear. In the realm of cybersecurity, while the answers you that worked yesterday are important to answer, they may not be the answers that you need today. Because of this, you approach from different perspectives and directions to evaluate the issue you’re being faced with.
Interviewer: Absolutely. If I could push a little farther on this topic, it seems like we’re saying critical thinking builds off curiosity. Can you both speak to that at all?
Dr. Wells: Curiosity is questioning, asking good questions. Critical thinking is not accepting the pat answers but exploring instead. Explore a variety of answers and seriously consider all of them. On a related note, without hearing diverse perspectives it is impossible to learn—surrounding yourself with the same perspectives only reinforces what you already think. Diversity in the “classic” sense (e.g., men and women of color, gender) is important for many reasons, but the critical diversity we’re speaking of here is the diversity of thought, the diversity of one’s mental models… the diversity that drives us all to better decisions and thus better outcomes.
Dr. Tippey: In cyber specifically, curiosity is essential. The bad guys push boundaries, so if I’m not pushing the boundaries of my own thinking, they will get ahead of me. The piece that reconnects this with critical thinking is what we call adversary thinking. When I think like a hacker, I have to question my thought process to see what the hacker sees. They’re not working within my defined methods, they’re looking for a way to get into my network, pivoting and shifting towards their target. Adversarial thinking moves us outside of our normal thought processes and into critical thinking. This process takes community, however. You have to learn from other curious and critically thinking cyber professionals.
Interviewer: As instructors for the Carolina Cyber Center, what does it look like to teach ethics in cybersecurity?
Dr. Wells: I teach about a third of the course in cyber ethics. Beginning with general ethics, we start applying the general ethical principles to cybersecurity studies together. The second portion of the class covers some recent laws passed in cybersecurity, both nationally and internationally. Of course, we also talk about cybercrime in the context of cyber laws as we sprinkle case studies in.
Dr. Tippey: That’s exactly right. We always wrap it back to the ethics portion because we’re trying to train ethical cybersecurity professionals of character. Whether I’m teaching the penetration testing course or the operating system course, I want to tie it back to making good moral decisions.
Interviewer: To wrap this up, how would you practically use critical thinking in cybersecurity ethical dilemmas?
Dr. Wells: In cyber ethics class we teach a four-step process. First, you need to get the facts. Don’t just act. Acting prematurely is our tendency, but you can’t do that. The first thing you do is see what’s happening, who’s involved, where’s it coming from, and what kind of attack it is. Second, discern the problem. Understand what can ethically be done so you can identify what is past that boundary line. Thirdly, evaluate alternatives once you know the basic facts. Once you know what the problem is it’s time to work on your solution; this is where critical thinking is extremely important. It takes critical thinking and creativity to find possible solutions, and it takes collaboration and diversity of thought to ensure that you have enough possible solutions. Finally, choose and act according to whatever ethical solution is best. If these four steps become habitual, your reaction will not be premature action, but critical analysis.
At the Carolina Cyber Center, we want to help equip you to think critically as a cyber professional. Don’t hesitate to contact us with your questions! Interested in becoming a cyber professional? Apply for a Carolina Cyber Center Academy cohort beginning this summer here and become a trained, critically thinking Cyber Analyst!